Private Mode... actually, it isn't

Post Meta

For the past several weeks, we've been focused on first person research in order to understand how people use their browsers, what vulnerabilities they feel online, and whether they are sufficiently motivated to take protective measures. To say it has been fascinating would be an understatement. We joke that with a billion people using the web, we'll see a billion browser use cases

The highest correlation of "concern-to-action" was when users had experienced a security issue first hand. This is obvious - once you've felt the pain of an infection or fraud, you're more motivated to take precautions. The biggest non-obvious finding was in the area of online privacy. Concern about online privacy is expressed almost universally. People are outraged that ISPs, search engines, sites and vendors can install cookies and track behavior. And they really freak when they hear that some companies will share data. But users typically don't do anything about it. When we probed, we learned some interesting things.

Privacy is a motherhood and apple pie issue. People naturally say they want their privacy. But they don't really understand what the risks are to them.

Managing privacy in the browser is impossible for users. A few people might flush or restrict cookies, but they don't have the context to make informed decisions on what level of tracking is OK, and what is suspect.

Many users want privacy, yet they like the relevance of the advertisements they see. They're OK with this privacy-for-personalization exchange, and aren't motivated to make changes.

There was one mind-blower in the privacy discussion: how users use the private mode of their browser. All the major browsers have a private or incognito mode that is meant to limit tracking during browsing. The important detail here - and one that was lost on most users - was exactly what tracking is limited when private mode is invoked.

Users told us that they use private mode to hide their history, to keep cookies off their machine, or to keep their IP address hidden from the site they visit. We had one user say they use privacy mode at work for their personal activity so IT couldn't supervise them.

This is not how private mode works! Private mode will do two things to protect you:

Prevent the browser from storing your browsing history. This means another user on your machine will not be able to see what sites you visited.

Delete any cookies delivered during the private session.

In a world where everyone plays by the rules and all cookies are "clean", that would keep sites from tracking you. But alas, it isn't a friendly world out there and websites rely heavily on site visit analytics. Some sites deliver cookies that persist, even when a copy is deleted (zombie cookies). Sites that deliver these cookies can track repeat visits and more, regardless of private mode. Some browser extensions write their own cookies (Flash) to the same effect as the zombie cookie. And some extensions can share information with a site from another non-private tab, regardless of the session being conducted in the private tab. A site exploiting an extension like this can track more than just your current browsing activity.

And regardless of your private mode, your ISP (or your IT guy) can see your machine IP and what sites you're visiting. Ars Technica can tell you about the technical bits here.

It is best to assume that private mode does nothing to restrict how you're being tracked online. If you truly want browsing without tracking, you need to mask your activities to anything upstream from your computer. Your current options are to build your own proxy in a cloud somewhere, to use Tor to access the free anonymity network, or to buy a commercial service like Anonymizer.

Regardless of how you approach this issue, it's critical for users to understand this: private mode will keep your computer from tracking what sites you visit. It does nothing to keep those sites you visit from tracking your computer.